A HackBack Gaming Event
Ransomware Scenario
HackBack
Company Profile
![]()
Citum Energy Solutions
Citum Energy has grown from 0 to 200 employees and $50M in 10 years. The company does clean energy solutions and consulting with several enterprise customers and government arms. They hold some consumer PII, but are primarily focused on larger customers. Employees are a dispersed remote or hybrid workforce, primarily in Denmark but with outsourced development in India. The company has grown fast and data security matters but it has been more difficult to control as people and process become more difficult to track in this fast-moving environment.
Introductions
Everybody (IM included) introduces as real selves
Rules
- Prior to game everybody rolls a D20 for initiative (turn)
- We play three rounds in the same scenario
- Each player has one turn per round
- Can take two actions per turn
- Talk to someone
- Do something (or make someone else do something)
- IM will tell you what you can do, which modifiers are active and what happened
- At the end of each round we update company health
- After three rounds we’ll see if your company is still open!
Company Background
- Time in business: 10 years
- Security Acumen: Medium importance
- Primary Goal: Grow business 15% per year
- Concerns: How to grow the business faster?
- Board interaction: Medium
- Stability: Medium
Organization
graph TD;
A[CEO]
B[COO]
C[CIO]
D[CFO]
E[CMO]
F[Ops Dir]
G[VP Consulting]
H[Consultants]
I[CTO]
J[Dev Director]
K[Dev Team]
L[SRE]
M[Sr. Network Engineer]
N[CISO]
O[Infosec Manager]
P[HR Director]
Q[HR Team]
R[Finance Director]
S[Budget Team]
T[Accounting]
U[Sales Director]
V[Sales Team]
W[IT Admin]
X[Legal - External]
Y[External Vendor]
A --> B;
A --> C;
A --> D;
A --> E;
B --> F;
F --> G;
G --> H;
C --> I;
I --> J;
J --> K;
I --> L;
L --> M;
C --> N;
N --> O;
D --> P;
P --> Q;
D --> R;
R --> S;
S --> T;
E --> U;
U --> V;
I --> W;
Tech stack
- Web, marketing, and proprietary clean energy solution infrastructure in Azure
- Azure virtual machines and some serverless infrastructure.
- Website managed by third party firm.
- Data collectors from clean energy solutions, sensors, and other IoT devices.
- Microsoft365 IT infrastructure
- E5, Azure AD, Intune, Teams, SharePoint, OneDrive, Office365
- Other infrastructure includes:
- Various SaaS applications
- Security Stack
- Cisco firewalls w/ VPN
- Defender for Endpoint
- Defender for Cloud
- Exchange Online
Security Stack
| Tenable Nessus |
Vuln Scanner |
| Cisco |
Basic Firewall |
| Exchange Online |
Email security |
| Defender for Endpoint |
Endpoint Security |
Company Staff
| CEO |
TBD |
| CFO |
Out |
| CMO |
TBD |
| CISO |
Open Role |
| CTO |
TBD |
| IT Admin |
TBD |
| Sys Engineer |
TBD |
| Windows Arch. |
TBD |
| ISM |
TBD |
| CLO/Vendor |
TBD |
Round 0
Citum Press Release Party
Time: 16.05, Friday
Getting into character
Citum is having a celebration for employees after a successful press release with well-deserved media attention. Time to get in character and mingle.
Tell us something about your character. Work life. Personal life. Whatever strikes your fancy. Otherwise, I’ll be that awkward guy that asks awkward questions.
Round 1
Things that happen on a Friday afternoon…
Time: 16.50, Friday
IT Admin notices a suspicious login alert from Microsoft for an account belonging to another member of IT.
This grabs attention because this person is on vacation.
Round 1
Company Health Check #1
Company Health: 100
Round 2
Things you can and can’t do!
Time: 09.20, Saturday (next day)
IT appears to have been locked out of the admin accounts for the Azure and Microsoft 365 environments.
The CEO receives a message demanding a ransom to restore access.
Round 2
Company Health Check #2
Round 3
The trouble doesn’t just make itself!
Time: 09.40, Monday (two days later)
Employee workstations appear to have been encrypted and customers are calling and reporting that business services are down.
Round 3
Company Health Check #3
It’s over!
It’s the darndest thing…
What’s really going on?
- Microsoft account of IT member phished and compromised
- Deployed remote access tool to select endpoints
- MFA and some security features had been disabled on some accounts at the direction of the CEO
- Elevated to Global Admin via password vault access
- Attackers created multiple new admin accounts and reset passwords of existing admin accounts
- While attackers contacted the CEO, endpoint ransomware was being prepared
- Attempts to remove the attackers from the environment were incomplete
- They also stole customer data and source code and deleted backups they could find
- Ransomware deployed to endpoints in a further attempt to get payment
Which actions should be taken?
- Engage Incident Response Plan
- Investigate suspicious login and subsequent activity
- Identify status of backups
- Identify gaps in current configuration
- Hire incident response firm
- Examination of endpoint logs for unusual connections
- Use multiple tools to form a larger picture
- MS Sentinel partially deployed and of use, but log storage is limited due to lack of budget
- Forensics on Azure/M365 and affected workstations
- Engage legal counsel/DPO as data was stolen
- Use of communication plan
- Completely remove attacker!
Talk Back
- IM Observations
- Player Self-Evaluation
- Was the exercise a success?
- Do Different?
- Each person, around the table
- Do Better?
- Each person, around the table